Fix: Prevent review of unsubmitted storage requests

Aya Bezine · Aya Bezine · commit fc6f56f10d95 · 2024-12-11T17:29:59.000+01:00
Resolves biigle/core#35
diff --git a/src/Http/Controllers/Views/StorageRequestController.php b/src/Http/Controllers/Views/StorageRequestController.php
@@ -76,15 +76,19 @@ public function create(Request $request)
      *
      * @return \Illuminate\Http\Response
      */
-    public function review($id)
-    {
-        $request = StorageRequest::whereNull('expires_at')
-            ->with('files')
-            ->findOrFail($id);
-        $this->authorize('approve', $request);
 
-        return view('user-storage::review', [
-            'request' => $request,
-        ]);
-    }
+     public function review($id)
+{
+    $request = StorageRequest::whereNull('expires_at')
+        ->whereNotNull('submitted_at') // Add this condition
+        ->with('files')
+        ->findOrFail($id);
+
+    $this->authorize('approve', $request);
+
+    return view('user-storage::review', [
+        'request' => $request,
+    ]);
+}
+
 }
diff --git a/tests/Http/Controllers/Views/StorageRequestControllerTest.php b/tests/Http/Controllers/Views/StorageRequestControllerTest.php
@@ -55,31 +55,40 @@ public function testReview()
     {
         $request = StorageRequest::factory()->create();
         $id = $request->id;
-
+    
         $this->get("storage-requests/{$id}/review")->assertRedirect('login');
-
+    
         $this->actingAs($request->user)
             ->get("storage-requests/{$id}/review")
             ->assertStatus(403);
-
+    
         $user = UserTest::create([
             'role_id' => Role::editorId(),
         ]);
-
+    
         $this->actingAs($user)
             ->get("storage-requests/{$id}/review")
             ->assertStatus(403);
-
+    
         $user->role_id = Role::adminId();
         $user->save();
-
+    
         $this->actingAs($user)
             ->get("storage-requests/{$id}/review")
             ->assertViewIs('user-storage::review');
-
+    
         $request->update(['expires_at' => '2022-03-28 10:40:00']);
         $this->actingAs($user)
             ->get("storage-requests/{$id}/review")
             ->assertStatus(404);
+    
+        $unsubmittedRequest = StorageRequest::factory()->create([
+            'submitted_at' => null,
+        ]);
+    
+        $this->actingAs($user)
+            ->get("storage-requests/{$unsubmittedRequest->id}/review")
+            ->assertStatus(404); 
     }
+    
 }
